The Shift in Typosquatting Tactics
Typosquatting has evolved from a user side problem into a sophisticated supply chain threat. Attackers no longer rely on users mistyping URLs. Instead, they embed lookalike domains directly inside legitimate third party scripts that run on web properties. This technique requires no server breach and no direct user error. AI has dramatically lowered the barrier for attackers. Large language models can generate thousands of convincing domain variants in minutes, and a full campaign deployment can take under ten minutes. Malicious package uploads surged by 156 percent last year, making manual vetting of dependencies effectively obsolete.
How the Trust Wallet Attack Worked
The Trust Wallet incident demonstrated this new attack vector clearly. On December 24, 2025, users began losing funds from their wallets without any phishing link or password reuse. A self replicating npm worm called Shai Hulud had spent months harvesting developer credentials, including GitHub tokens, npm publishing keys, and Chrome Web Store API credentials. These keys allowed attackers to push a trojanized version of the Trust Wallet Chrome extension through official channels. Chrome’s verification process passed the malicious extension, which then executed inside users’ browsers. It silently captured seed phrases and transmitted them to a domain disguised as Trust Wallet’s own analytics endpoint. Within 48 hours, 2,500 wallets were drained for a total loss of $8.5 million.
Impact and Detection Challenges
The Trust Wallet attack succeeded because standard security tools lack visibility into what approved third party scripts do once they execute in the browser. Traditional defenses like firewalls, WAFs, EDR, and content security policies have no insight into runtime script behavior. No alert fired during the attack not because any system failed, but because no system was watching for this type of abuse. The broader implication is that organizations can no longer rely on static approval of scripts. They must implement runtime monitoring for browser delivered assets to detect when trusted code is silently modified to intercept sensitive data before legitimate applications can process it.
Source: The Hacker News
